Snort mailing list archives
[Fwd: RE: [Snort-sigs] Blaster Alert-False Negative?]
From: "Jade E. Deane" <jade.deane () riven net>
Date: 17 Aug 2003 14:09:49 -0500
From: Jade E. Deane <jade.deane () riven net> To: lordchariot () earthlink net Cc: snort-sigs () lists sourceforge net Subject: RE: [Snort-sigs] Blaster Alert-False Negative? Date: 17 Aug 2003 14:07:22 -0500 This brings up a question I've been kicking around for a while now... I have a Snort sensor on a mirrored port where my very edge packet filter sits. This packet filter does not allow ANY ingress traffic that isn't already established in it's egress state table. The question is, what is a good solution for picking up attacks that require a full TCP handshake? Netcat? Honeypot machine? Regards, Jade
On Thu, 2003-08-14 at 11:42, lordchariot () earthlink net wrote:I, too, wanted to just count the probe attempts for this worm by trapping any 135/137/445 attempt. I believe snort won't trigger and alert unless it actually connects to something, that is why you are not seeing any alerts. (flow:to_server,established) I put the following in my experimental.rules and it seems to be working: alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS Name Query Probe (137/udp)"; classtype:attempted-recon; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MS-RPC Probe (135/tcp)"; classtype:attempted-recon; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"microsoft-ds Probe (445/tcp)"; classtype:attempted-recon; ) This won't positively identify any specific worm or variant, just a generic probe attempt at these ports. Give it a try. Good luck. Erik _________________________________________________ Erik Elsasser System Engineering CyberGuard Corporation Northeast Region -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Bartholomew, Brian J Sent: Wednesday, August 13, 2003 11:10 AM To: 'snort-sigs () lists sourceforge net' Subject: [Snort-sigs] Blaster Alert-False Negative? Ladies and Gents, I have a request that has been given to me to detect and report the number of times we see this worm attempting to propagate to our systems. I have implemented the "official" signatures 2192 and 2193, but have yet to see it trigger. Does this worm first try to get a response back on port 135 or 445 before attempting this exploit, or does it just flood the Internet with exploit attempts blindly? I have a feeling that I am missing something here. I find it hard to believe that we have not seen one Blaster attempt since 0800 this morning. One thing that may be causing the non-alerts is the fact that any requests to our FW are dropped if on port 135 or 445, but the Snort device is outside the FW. That why I was wondering if the "infected" machine needed a response before continuing with this exploit. Any help would be greatly appreciated. Please reply to this address as I am not subscribed to the list. I just occasionally peruse via the web interface. Brian J. Bartholomew U.S. Dept of State, Bureau of Diplomatic Security Computer Incident Response Team (571)345-2654 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- [Fwd: RE: [Snort-sigs] Blaster Alert-False Negative?] Jade E. Deane (Aug 17)